Guides: International and Foreign Cyberspace Law Research Guide: European Union

Key to Icons

Georgetown only
On Westlaw
On Lexis
On Bloomberg
PDF
More Info (hover)
Preeminent Treatise
Study Aid

Primary Sources of E.U. Data Protection & Privacy Law

The E.U. has been a pioneer in the fields of data protection and online privacy, having first enacted legislation more than 20 years ago. It recently completed a major reform of its data protection framework, which is intended to enhance protections for individuals, provide a single set of harmonized rules for businesses, and simplify procedures for transferring data outside the E.U.

Current E.U. Data Protection & Privacy Legislation

Listed below are some of the most important pieces of E.U. legislation on data protection and privacy which are in force as of November 2022.

General Data Protection Regulation (GDPR)
This regulation replaced the prior Directive on Personal Data Protection (Directive 95/46 EC) on 25 May 2018.
Data Protection Directive—Police & Criminal Justice Authorities
This directive replaced the prior Council Decision on Personal Data in Criminal Matters (Council Decision 2008/977/JHA). The deadline for member states to transpose the directive into national law was 6 May 2018.
Directive on Privacy and Electronic Communication
Directive on the Re-Use of Public Sector Information
- Directive 2003/98/EC, 2003 O.J. (L345) 90
- Full text in English
Directive on the Retention of Data in Electronic Communications
- Directive 2006/24/EC, 2006 O.J. (L 105) 54
- Full text in English

Prior E.U. Legislation No Longer in Force

The following legislation is no longer in force but may be of interest for historical research.

Directive on Personal Data Protection
Council Decision on Personal Data in Criminal Matters

Explanatory Notes on E.U. Legislation

For those unfamiliar with the different types of E.U. legislation, the following definitions are provided:

Regulations are binding legislative acts of general application that must be complied with upon entry into force by each member state. They supersede any conflicting national laws.
Directives are binding legislative acts of general application that establish a goal or objective. Member states must enact legislation to implement a directive by a specified date, a process known as transposition.
Decisions are legislative acts issued by the Council of the E.U. or by the European Commission that bind only those governments, companies, or individuals to whom they are addressed.

E.U. Charter of Fundamental Rights

The Charter of Fundamental Rights enshrines within a single document the political, social, and economic rights protected by the E.U. It applies to both the E.U. as an institution and to its members states when they implement E.U. law. E.U. courts are empowered to strike down legislation and official actions that are inconsistent with the Charter.

The full text of the Charter is available for download as a PDF. Relevant provisions of the Charter include Article 7 (respect for private and family life), Article 8 (protection of personal data), and Article 11 (freedom of expression and information).

E.U. Case Law

E.U. courts are generating a growing body of case law involving privacy and data protection, most notably the judgment in Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (2014), also known as the “right to be forgotten” case.

Summary of the judgment entered in the Google Spain case.
Full text of the judgment entered in the Google Spain case.

To search by keyword for E.U. case law on privacy and data security, use the EUR-Lex database’s Advanced Search tool and select EU law and case-law→Case-law from the Collection menu in the center of the page to limit your search to cases. Searchable databases of E.U. case law also are available on Lexis and Westlaw.

Additional Resources on E.U. Data Protection

E.U. Data Protection Portal
The European Commission, the executive arm of the E.U., maintains this convenient gateway for information about the E.U.’s data protection and privacy law. Relevant sections include:

European Data Protection Board: Directory of National Data Protection Authorities
The EDPB maintains this page with links to and contact information for the national data protection authorities of E.U. and EEA members.

Secondary Sources of E.U. Data Protection & Privacy Law

Electronic Identity
Call Number: KJC164.C65 E44 2014 and Electronic
The first chapter provides an overview of the legal and regulatory framework for electronic identity in the E.U. and assesses its importance for individual citizens, businesses, and public sector institutions. The second chapter examines the development of the e-certificate system underlying the legal framework.
The Emergence of Personal Data Protection As a Fundamental Right of the E.U.
Call Number: KJE1626 .G66 2014
This study traces how personal data protection came to be recognized as a fundamental right in E.U. law. The author contends that it is essential to understand how this right emerged in order to interpret it correctly.
The Foundations of E.U. Data Protection Law
Call Number: KJE6071 .L96 2015 and Electronic
By challenging the assumption that data protection is merely a subset of the right to privacy, the author explains how this concept evolved in E.U. law from a regulatory instrument into a fundamental right that grants individuals more control over more forms of data than the right to privacy.
Global Data Protection in the Field of Law Enforcement: An EU Perspective
Call Number: KJE5977 .B57 2017
This study examines the frameworks governing the sharing of data for law enforcement purposes, both within the E.U. and between the E.U. and other countries, and the challenges these provisions pose to the E.U.’s data protection regime.
Navigating E.U. Privacy and Data Protection Laws
Call Number: KJE1626 .V67 2015
This resource provides businesses, legal practitioners, and students with a comprehensive overview of current privacy and data protection compliance practices in the E.U. It also highlights supplemental regulations in individual member states.
Private Power, Online Information Flows, and E.U. Law: Mind the Gap
Call Number: KJE6497 .D35 2016
The author examines the extent to which E.U. data protection law, competition law, and human rights law can be utilized to address concentrations of private economic power, which impede the free flow of information on the Internet.
The Right to Be Forgotten: Privacy and the Media in the Digital Age
Call Number: KJE1626 .B76 2016
This book analyzes the controversial judgment of the European Court of Justice in the “Right to be Forgotten” case and its implications for free expression and privacy in an age of information saturation.